.secure domains require proof of security
Artemis, a subsidiary of the NCC Group, plans to create a form of high-security zone on the internet under the .secure generic Top Level Domain (gTLD). Subdomains on this gTLD would have to use security technologies such as HTTPS and a domain name system that is protected via DNSsec. These requirements are designed to increase the trustworthiness, authenticity and security of services that run under .secure. On its web site, Artemis explains that this benefits services such as banks, commercial enterprises and non-profit organisations.
Registrants for .secure must provide identity, corporate and trademark documentation that will be checked thoroughly, according to the company. Artemis explains in the FAQ that it will use two-factor authentication for address verification and will check for trademark violations. Registrants must also agree to the company's Acceptable Use and Security Control Policies, which are designed to prevent malicious activity or the inadvertent creation of vulnerabilities through missing security technologies.
Artemis is also working with major internet companies to form the Domain Policy Working Group (DPWG) and create a specification for secure web sites. This specification (Domain Policy Framework, DPF) will be submitted to the IETF and it is intended that it should become a part of popular browsers and mail servers. Artemis says that the minimum DPF requirements are mandatory DNSsec signing of every zone, the use of TLS for all HTTP sessions, mail domains that are signed via DKIM, and the use of opportunistic encryption for SMTP. Other DPF requirements are designed to reduce the risk of compromised and illegitimately used Certificate Authorities, and to protect the email traffic between .secure domains.
Artemis plans to use random checks to monitor .secure subdomains. If a minor policy breach is found, the operators will receive a warning via email. The company plans to respond to major policy infringements such as the hosting of malware by suspending or invalidating contracts.
The idea of operating a special policy gTLD isn't new: for instance, the operators of a .mobi subdomain must ensure that any web pages found under such an address are optimised for mobile devices.